-
Notifications
You must be signed in to change notification settings - Fork 4.3k
self-hosted ngrokd - client fails with 'Certificate signed by unknown authority' on Mac OS X #93
Comments
From what I've deduced, it seems like the go crypto library doesn't find the Root CA I'm sending from the server. I've tried adding it to the OS X Keychain, compiling it into the client in various ways (as mentioned above), but I still can't get the client to accept the server's root ca. I'm stumped, please help me out - does anybody have any experience with GO and the OS X keychain? |
Refer to #84 |
Same problem. Everyone is talking about self-signed CA, but according to doc, if I use a valid CA, I don't need to recompile but set path to cert in config file. |
I got same problem with signed CA by letsencrypt, Mac's client. The problem seemed to be from the rootCA file. I've managed to solve it by copying letsencrypt's signed CA to assets/client/tls/ngrokroot.crt (overwrite the ngrokroot.crt file). Then recompiling server and client would finish it. |
@longle255 Check if you're using ngrok server 1.x, turned out my problem was due to using ngrok server 2.x and client 1.x. |
@longle255 Can you detail out the steps you took to use letsencrypt's certs for ngrokd? Here are my letsencrypt domain key/cert files:
After getting the certificates from letsencrypt, I did this (overwriting default ngrokroot.crt): I'm running the daemon as:
Also, my client is version 1.7, the server is 1.0, since it says in the README here that v2.0 is not open source. |
@noodlebreak you should replace the cert file of ngrok by the the rootCA file of letsencrypt from their website (https://letsencrypt.org/certificates/), particularly this one |
@longle255 But then would I have to change the |
no, just keep the |
@longle255 Actually, that's one thing I'm confused about.
So is it correct if I map |
you're doing correctly, in term of mapping tlskey and tlscrt. The step need to be altered is replacing the part |
@longle255 Thanks a tonne, that worked perfectly.
And on the client side, I keep seeing this:
EDIT: I forgot it is explained here: |
@noodlebreak I'm in the same boat as you. I'm a big unclear on the server setup prior to compiling. Am I correct with this, @longle255 ? SERVER: CLIENT
Then, I compiled the server side with I have made sure to setup my config file to accompany the .exe: I use this to start the server on Ubuntu 14.04: I kick off the Windows client with: When I do this, I get the following on the server side:
Any ideas how I'm screwing this up? In Firefox, addressing https://mydomain.com:8443 results in this response |
@unstatusthequo what is the number at the end of your command for ? Also, please open up logging on your client side to see what goes on in that end. |
That's the port I want opened on localhost that the server routes to. I think I may have some idea of what's going on. So the same server I have this on is running vhosts on Apache. My sense is I really need the version 2 feature of rewriting headers... my sense is that's what's screwing up the headers. @inconshreveable , any word on adding some of the creature comfort features of 2.0 to OSS? I'm dead in the water without it, apparently. |
I'm seeing an issue connecting an ngrok client to a self-hosted ngrokd. The ngrokd is being supplied with a valid key/crt pair, not self-signed (CACert signed, in fact), but the client running on OS X still fails to connect with:
After some research I figured out that the crypto package for OS X does use the OS X keychain to look for fitting Root-CA's (and doesn't rely on a different certificate store, like, say, the OpenSSL store), so I added the Root-CA's to the KeyChain and trusted them. The effect remains the same.
To try a different approach, I also copied the Root-CA into the
assets/client/tls
directory, both leaving the same name and replacing the existingassets/client/tls/ngrokroot.crt
file and then running bothmake client
andmake release-client
, but that does not change anything either (although I can see that the release-client does recognize the additional .crt files as assets and adds them to the file assets-release.go). The certificate the server is supplying is part of a two-step chain (there is an intermediary certificate before the 'real' root-cert, I tried both there as well).What am I doing wrong? Where else would ngrok go looking for that certificate? Can I supply the certificate to the client directly?
I'm really hoping someone can help me here - ngrok is really great and would really help with our development efforts, but not unless I can get it to run....
Thanks for any help!
The text was updated successfully, but these errors were encountered: